In a landmark legal development, Conor Brian Fitzpatrick, the 22-year-old former administrator of the notorious cybercrime marketplace BreachForums, has been ordered to forfeit nearly $700,000 to settle a civil lawsuit stemming from a significant healthcare data breach. This case marks a rare instance where a cybercriminal faces direct financial penalties for facilitating the sale of stolen data on their platform.
Background on BreachForums and Fitzpatrick’s Role
Fitzpatrick, known online by the alias Pompompurin, launched BreachForums in March 2022 as a successor to RaidForums, which had been dismantled by the FBI. As the administrator, he personally vetted databases for sale and provided escrow services to facilitate transactions between cybercriminals. Under his leadership, BreachForums amassed over 300,000 users and facilitated the sale of databases containing more than 14 billion individual records. Despite multiple law enforcement takedowns, including the most recent in April 2025, iterations of BreachForums have persistently resurfaced online, underscoring the challenges in permanently disrupting cybercriminal marketplaces.
The Nonstop Health Data Breach
The legal action against Fitzpatrick was initiated after sensitive personal information from Nonstop Health, a California-based insurance provider, appeared for sale on BreachForums in January 2023. The data breach exposed tens of thousands of records containing Social Security numbers, birthdates, addresses, and phone numbers of Nonstop Health customers. In an unprecedented legal strategy, Nonstop Health’s attorneys added Fitzpatrick as a third-party defendant to their class action litigation in November 2023, following his arrest by the FBI on criminal charges of conspiracy to commit access device fraud and possession of child sexual abuse material.
Legal Implications and Settlement Details
This case represents a significant shift in how threat actors may be held accountable through civil channels. Jill Fertel, a former prosecutor leading the cyber litigation practice at Cipriani & Werner, representing Nonstop Health, stated, This is the first and only case where a cybercriminal or anyone related to the security incident was actually named in civil litigation. The $700,000 forfeited by Fitzpatrick will contribute to the broader $1.6 million class action settlement that Nonstop Health agreed to in January 2025. Class members are eligible to receive reimbursement for out-of-pocket losses up to $5,000 for unreimbursed fraud, identity theft, and related costs.
Fitzpatrick’s Ongoing Legal Challenges
Fitzpatrick’s legal troubles extend beyond civil liability. Despite pleading guilty to serious charges, including possession of over 600 images of child sexual abuse material, he initially received a relatively lenient sentence in January 2024—time served plus 20 years of supervised release. Federal prosecutors appealed this sentence, arguing it failed to reflect the severity of his crimes. Their case was bolstered when Fitzpatrick violated his release conditions by accessing unauthorized computer systems via virtual private networks (VPNs) and professing innocence on Discord despite his guilty plea. In January 2025, the U.S. Court of Appeals vacated his original sentence and ordered resentencing for June 3, 2025.
The Broader Impact on Cybercrime Enforcement
This case underscores the evolving landscape of cybercrime enforcement, where legal strategies are increasingly targeting not only the perpetrators of data breaches but also the facilitators who provide platforms for such illicit activities. The substantial financial penalty imposed on Fitzpatrick serves as a deterrent to others operating similar platforms and highlights the potential for civil litigation to complement criminal proceedings in addressing cybercrime.
